VMware Horizon: A New Era of Enterprise IT

The mainframe was king when the PC revolution laid siege to big corporations. Employees would expense these small computers in order to free themselves from the predetermined workflows of the old system so they could harness the power of technology, using applications of their choosing. This revolution helped usher in an era of enhanced productivity and creativity, and not since then have we seen so much disruption to enterprise IT.

Now, the forces of cloud and mobility are pulling IT in a new direction, requiring shops to deliver solutions in a fundamentally different way. The idea of the network as a series of resources that IT delivers within a company is morphing, and in this new era, the enterprise will not always own all the resources, no matter what your IT policy says.

IT must now view its assets not as a server behind a firewall, but in the context of a multitenant, Internet-connected, shared world that extends to cloud applications, with servers and smartphones as nodes on public networks. We're facing a new revolution where employees want to use their preferred devices -- which are customized for them -- along with software solutions that are also tailored to their needs.

Now, it's all about cloud computing and bring your own device (BYOD). Here's a real-life use case: the Veteran's Administration just laid out a vision for a BYOD conversion to be completed within five to six years. The VA's CIO Roger Backer says the most recent contract for PCs will likely be their last, as they increasingly invest in flexible solutions that work on personally owned computers. This is a bold plan, but for an organization that has many people working remotely without local IT support, it makes good sense.

If it seems as if cloud applications are being used in organizational pockets, that's because cloud application providers are using an initial process of hooking targeted workers with their products, bypassing the IT purchase process. This method of salesmanship is largely associated with cloud Software as a Service (SaaS) provider Salesforce.com Inc., which snuck in the back door via the Internet to bypass established customer relationship management (CRM) applications and their salespeople. Within a few short years, Salesforce.com became a powerhouse that's now replacing traditional software providers. Cloud software use starts with free trials, then small credit-card expenses and per-user licensing -- cheap, easily justified purchases that turn into a Trojan horse at target accounts.

This example of disruption is the model for many upcoming SaaS businesses today. These smaller companies know they don't have a large group of sales teams that can wine and dine C-level executives, so their focus is on convincing colleagues at every organizational level that they have seen the future, and it's irreversibly now.

The bottom line? People are choosing the tools they want to work the way they want. This is the challenge for IT: How do you manage change?

Horizon
VMware Inc. is building a suite of solutions under the Horizon brand umbrella aimed at managing the post-PC era. There are a couple key products here, with more efforts and updates expected to be announced during VMworld 2012. The focus extends from virtual apps to SaaS cloud app management to mobile virtualization. These products have been rolling out since the 2010 debut of Horizon Application Manager 1.0. During 2011, VMware unveiled a mobile virtual machine (VM) hypervisor technology known as Horizon Mobile -- which is still in its infancy -- along with Application Manager 1.5.

This targeted rollout is intended to provide solutions that meet specific needs and expand with each iteration to address additional needs. A single management solution will bloom from these core foci, but at this point, you'll want to evaluate the solutions to see if they make sense in your environment.

VMware is providing core pieces of management for nontraditional IT with the current set of Horizon products, but you can already begin to see integration with more traditional deliveries. As Horizon Application Manager adds integration with View ThinApp, the move becomes obvious. Horizon will eventually be the primary point to access all of your applications and data within and outside your organization. The emphasis will be on security, integration and ease of access, regardless of your access method.

Managing SaaS
SaaS offers unlimited promise. With the reduced need for infrastructure and hosted solutions growing at an amazing rate, the potential for cloud as a platform and application delivery service has IT managers eagerly anticipating its benefits. However, managing a cluster of different systems is a challenge yet unmet by most SaaS solutions. In fact, the biggest challenge comes not from applications purchased and controlled through careful IT planning and project management, but from rogue applications. What was previously Lotus 1-2-3 in the PC revolution has turned into Gmail, Twitter, Google Apps, Dropbox, Salesforce.com and a host of other apps that have come in the back door while IT was heads-down trying to keep up with its escalating workloads.

The great effort of the past decade or so to unify our application portfolio using Lightweight Directory Access Protocol (LDAP) and Active Directory is now threatened, as multiple accounts, passwords and unknown permissions within these applications creep up on IT again. When looking at the IT environment from the angle of the service catalog, you can see the challenge this brings. There are possible dependencies and unknowns that could cause problems ranging from custom application development implementation to disaster recovery. Supporting these runaway environments is hard enough without being charged with the impossible task of tracking down every rogue application.

VMware Horizon Application Manager aims to bring these applications back under the fold of management and make them supportable, especially for those that don't rely on internal authentication and established management systems. It does this through predetermined application profiles intended to work with most popular SaaS solutions, allowing centralized management with integration into Active Directory.

Positing Horizon Application Manager as the application unifier is a concept not unlike anointing the centralized intranet as a launching point for corporate information, or deploying SharePoint as a central content management system. The intent of Horizon is to break down the silos of various applications that are insulated not only by old-school client-server and organizational boundaries, but also by the firewall and the computer itself.

There are several other solutions targeting this space. In XenApp, Citrix Systems Inc. has a shining example of applications that can stream to just about any device, from desktops to iPads, and be centrally managed. These apps work well over the Internet by breaking down the barrier of entry into your intranet while ensuring that your network is not dangerously exposed. However, the focus remains on internal applications.

When you look at Microsoft App-V, Citrix XenDesktop and XenApp, or even VMware -- which has often mixed desktop Terminal Server-type Remote Desktop Session Host (RDSH) desktops along with virtual desktop infrastructure (VDI) -- you might find implementations with no clear direction as they combine internal application delivery with desktop virtualization. Plus, it can be expensive to move desktop functionality from corporate workstations or laptops onto back-end systems. Storage space and servers are often barriers to VDI implementation.

That's not to say virtual desktops or virtualized application delivery isn't desirable, but perhaps it needs to be balanced with the end user's need to explore other options that provide better performance. It seems silly to force users into the presentation of browser windows from remote computers when every computer already has a browser ready to launch. Why take the benefits of the native experience of a device and narrow it all down to the same old Internet Explorer window? As good as we can make applications look, they still have reduced performance compared to a local window. Because most SaaS applications are designed to run in a local browser that's authenticated and secured to the Internet, what's the point of presenting that from an internal network server for a SaaS application when there are hardly any security or performance benefits?

Horizon Application Manager has expanded from its originally introduced hosted version and now includes a VMware virtual appliance that sits on your internal network. The appliance version of the service negates the need to expose Active Directory to the Internet. It's based on SuSE Linux, but provides an easy Web interface for management. Under most circumstances, users will spend the most time at the console of the virtual appliance when they're prompted for normal administrative tasks such as setting the root password, setting the time zone and configuring networks. The final piece is the database, which installs automatically within the virtual appliance. However, for deployment into production environments -- and especially if you plan on taking advantage of clustering -- you'll want to connect to an external PostgreSQL database server.

Security
If it were as straightforward as relying on a single authentication method, or a single vendor, SaaS management might be easier, but with applications wanting everything from your first dog's name to the scary possibility of Facebook application authentication, there's no one way to attack the SaaS sign-on process. There are plenty of enterprise-level SaaS application vendors that will assist you in integrating your own authentication infrastructure with methods like Microsoft Active Directory Federated Services. Some organizations are reluctant to allow that information outside the firewall, and configuration for multiple applications could become a troubleshooting nightmare of authentication. There's enough to worry about without the intricacies of a third party integrating within your single sign-on solution.

The Connector appliance component of Application Manager provides the link into Active Directory using an LDAP connection, and can also secure that connection using LDAP over SSL. You can expose Application Manager to the Internet using reverse proxy or DMZ access, which is what most companies will do if they want to maintain that seamless access outside of the firewall. It also provides a link to ThinApp so you can publish your virtualized Windows applications to the same portal.

Installing the Connector requires another virtual appliance with a particular focus on security, as this provides authentication services for Application Manager. Time in the actual console of Linux is, again, limited, with some questions about network configuration, time servers and the like, followed by a quick restart of the Web server. Most of your time will be spent in the Web interface. Connecting to Active Directory for authentication requires that you answer some questions via a configuration wizard. LDAP ports, SSL, where to search for domain names, passwords and the like are all available, with most options being straightforward in an uncomplicated, mostly default domain deployment. If you plan on deploying ThinApp virtualized applications, you'll have a few more steps joining the domain and configuring certificates for external access in the Setup Wizard.

Tying Disparate Apps Together
The term "single pane of glass" is now indiscriminately thrown around by management vendors, but getting as close as possible to centralized management is important for many organizations. When provisioning, managing and maintaining SaaS applications for end users, the console allows a central view of those apps by user, group or app.

So how do virtualized apps fit into this solution? Providing your own internal apps in a browser can transform them into SaaS-style applications using VMware AppBlast, which provides the universal delivery of any application (including Windows-based applications) to any off-the-shelf browser or device supporting HTML5. This enables instant remote access to non-HTML-based applications.

No enterprise is going to transition to Web-based applications immediately -- or at all, in some cases -- so integration with View is key to providing Windows apps inside browsers using HTML5. With that addition, Horizon is aiming to be a "universal service broker," providing all of your applications in a catalog that will be accessible across the enterprise, no matter where the source or the destination device lives.

VMware has also been showing Horizon to provide access to Octopus, the enterprise version of Dropbox-style cloud file sharing. Although Octopus provides enterprise-level control over sharing policies, the nature of Horizon means you can take advantage of any cloud-storage solution such as Box, a competitor in the business cloud storage space.

What's Happening with Mobile?
Horizon Mobile came onto the scene with some fanfare as a solution for bringing the holy grail of data separation to the smartphone. Normally, when a smartphone connects to the network, you can apply certain policies, such as forcing a password, requiring a specific password length or remotely wiping the phone.

There are a few problems with this method. Most solutions rely on Microsoft ActiveSync policies from Exchange in order to manage devices, which must also provide policy support from the smartphone, and every modern smartphone OS only supports a subset of ActiveSync policy. Even the latest Windows Phone OS doesn't have the full support that the older Windows Mobile 6 did. Alternatively, you might end up relying on RIM BlackBerry devices, which have very granular device management support, and have experienced a serious decline in support over the past three years in favor of devices that offer more consumer-friendly features.

VMware wants to apply virtualization to the phone. The mobile version of Horizon maintains a separate VM running within the OS of the current phone. This VM maintains IT policy, encryption, and separation of corporate data, applications and permissions as a wholly separate section of the phone. This allows you to perform functions and apply policies to the phone that don't hamper or alter the experience associated with the consumer side of the device.

Currently, this is only possible on one mobile platform, the open source Android. However, it's not as simple as downloading an app from Google Play because it requires integration with the hardware as well. So far, we've only seen one phone from LG Electronics capable of this. Meanwhile, other mobile device management (MDM) solution providers are also offering centralized management. In one way, Good Technology Inc. provides a similar concept, but at the application level. All corporate e-mail and other data flows through the Good application and is fully encrypted in the process. Although a bit more limiting than having a full VM available on a phone, Good has taken off as one of the more popular MDM solutions because it works on the Apple iOS for iPhone and iPad, as well as Android.

Pieces in Place
Horizon is obviously the platform VMware wants to provide for its various datacenter technologies and cloud solutions. In addition, the company understands that the latest SaaS is not in-house or single-source. Ben Good, VMware evangelist for Horizon, says, "Horizon specifically addresses SaaS applications on any platform and Windows apps on Windows. However, we're building capabilities which will allow us to support any application and data on any platform, whether it be through app delivery and management or through remoting of virtual applications and desktops."

Horizon will be the way VMware crosses over to overall IT management from the classic infrastructure role the company has today. As SaaS becomes mainstreamed into IT, a solution such as Horizon Application Manager will help bring multiple technologies under one common management platform, with checkboxes for security and policy. It will also provide a central portal for the end user that provides every application he needs. The mobile effort still needs to develop. With only one phone option at the moment, virtualization on smartphones is not really a viable option. But with MDM such a hot area for IT right now, expect VMware to roll out an update to compete in this space.